Would you be able to tell us how sessions are determined by the sessions report?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Would you be able to tell us how sessions are determined by the sessions report?
Photo of The Lonesome Packet

The Lonesome Packet

  • 9 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Darragh Delaney

Darragh Delaney, Employee

  • 58 Posts
  • 5 Reply Likes
A session is a unique connection been two hosts, same source and destination port numbers. Other monitoring tools may call this a flow and it sometimes causes confusion.

A flow is a subset of this as seen by our traffic analysis engine. For a single session you may have multiple flows as the LANGuardian updates its database over time.

When the traffic analysis engine sees a new connection being established it creates an entry in the programs internal hash for this flow. It tracks the following information for the flow
1. sensor id
2. IP Protocol
3. Src IP Address
4. Dst IP Address
5. Source Port
6. Destination Port
7. Fingerprinted Service
8. IP TOS
9. Bytes Sent
10. Bytes Received
11. Flow Start Time
12. Flow End Time

Each time we see a new packet belonging to this flow we update the following fields
1. Bytes Sent
2. Bytes Received
3. Flow End Time

Every five minutes the traffic analysis engine writes a record to the LANGuardian database recording the volume of traffic associated with that flow for the previous five minutes. This means that for a long lived flow there will be multiple flow records for the flow in the database, hence when you run the flows report you will see multiple entries for the same flow, however if you look closely the following attributes will be different.
1. Bytes Sent
2. Bytes Received
3. Flow End Time

Hope this helps